Sopra Steria - 2018 Registration document

DETAILED PRESENTATION OF SOPRA STERIA Risk factors and internal control

8.3.3 COMPONENTS OF THE INTERNAL CONTROL AND RISK MANAGEMENT SYSTEM a. Environment Sopra Steria Group’s internal control and risk management system is founded upon the Group’s four-tier operational organisation as well as its centralised functional organisation. Each tier of the operational organisation is directly involved in the implementation of internal control and risk management practices. To this end, the Group has put in place a set of operating principles and rules, along with the appropriate delegations of authority. It is the responsibility of all Group employees to familiarise themselves with these rules and to apply them. For more information on the Group’s organisation, see Section 7, “Group organisation”, of this chapter (pages 27 to 28). b. A shared management control system The management control system is designed not only to manage the dissemination of information, upwards to Executive Management and downwards to the operational units, but also to guide, control and support the Group’s employees. It involves steering meetings held at each of the different organisational levels, including the Group’s Executive Committee. These meetings are governed by specific standards (reporting timetable, participants, agenda, documents to be presented at the beginning and end of the meeting) and are supported by the management reporting system. Meetings are held according to a calendar, dependent on the organisational level and timeframe objectives: p weekly meetings for the current month: Priority is given to the monitoring of sales, production and human resources; p monthly meetings for the current year: In addition to the topics discussed at the weekly meetings, additional emphasis is placed on financial indicators (entity performance for the previous month, update of annual forecasts, actual vs. budget, progress report on actions in line with the medium-term strategy); p annual meetings, looking ahead several years: The medium- term strategy and the annual budget process for the entities are discussed in the context of the Group’s overall strategic plan. The implementation of this system at all operational and functional entities is a highly effective vehicle for cohesiveness, the sharing of values and practices throughout the Group, and control. c. Tools The Group’s management applications and office automation software are designed to standardise the documents produced by the Group. The production tools used or developed by the Group allow for the industrialisation of project delivery by improving the quality of deliverables. They incorporate the processes that make up the Group’s production methodology. d. A shared framework for Group rules Code of Ethics, anti-corruption Code of conduct and code of conduct for stock market transactions The aims of the Group’s Code of Ethics, which is based on its core values, are to ensure compliance with international treaties, laws and

regulations in force in all countries where it operates, and to reaffirm the Group’s ethical principles. In 2017, the Code of Ethics was supplemented by a code of conduct for stock market transactions whose main aim is to reiterate and clarify the rules regarding sensitive information, insider information and the management of securities. In 2018, the Code of Ethics was further supplemented by an anti- corruption code of conduct, setting out the rules and behaviours to be adopted to prevent corruption and influence peddling. For more details on the anti-corruption code of conduct, see the “Ethics and compliance” section of Chapter 3, “Corporate responsibility”, on pages 99 to 101. Group rules, policies and procedures In 2017, work was carried out to formally document the Group’s rules and applicable decision-making levels. A corpus of Group rules and delegations of authority (decision-making levels) was thus re- established and consolidated across the Group to provide a common foundation for all processes. These rules apply to all employees at any Group entity. These general rules have been adapted to the Group’s various entities, and continue to be supplemented at Group level via the formal documentation of procedures, always with a focus on the continuous improvement of internal control and so as to better manage the risks identified in the course of the Group’s risk mapping exercises. These Group rules and procedures are then further detailed to take into account local regulatory constraints across all of the Group’s geographical operations. The areas covered by the rules and procedures include organisation and delivery management, internal control and accounting practices, information systems, human resources, production and quality assurance, sales and marketing, and procurement. These rules and procedures are available via the Group’s intranet. They are reinforced through the Group’s various training and communications initiatives. On the production front, Sopra Steria’s Quality System defines all the production, management and quality assurance processes required to successfully manage projects. The primary goal is to contribute effectively to the delivery of high quality IT systems that meet clients’ needs in line with time and budget constraints. This methodology defines project management practices and processes suited to various environments and at different levels of management and supervision, as well as software engineering practices and processes. The basic principles of the Quality System are described in a Quality Manual supplemented by procedural guides and operating manuals. UK, Scandinavia and CIMPA apply mechanisms that are similar but rely on specific methods geared to the primary characteristics of their activities. Information security risks and IT/communications infrastructure risks are subject to the specific oversight of the Chief Information Security Officer (CISO) function. The Group’s rules and procedures are regularly updated and supplemented to best reflect the Group’s organisation and manage the identified risks.

39

SOPRA STERIA REGISTRATION DOCUMENT 2018